Date: Sun, 28 Feb 2016 12:24:58 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request -- linux kernel: visor: crash on invalid USB device
descriptors in treo_attach() in visor driver
Hello,
If possible, we would like to obtain a CVE-ID for the following issue.
Let me please, note, that this flaw is very similar to already existing
CVE-2015-7566 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7566).
This is the same type of a flaw, which just exists in the different function
treo_attach() (instead of clie_5_attach()), so probably we can use the same
CVE-2015-7566 for this.
Description:
A local kernel crash on invalid USB device requiring the visor driver was reported.
The treo_attach() function of the [visor] driver, which is called during the driver
initialization process, was dereferencing the bulk-in and interrupt-in urbs without
first making sure they had been allocated by the core. Due to an incomplete sanity
check, the visor driver tries to dereference null-pointers, which results in crash.
References:
Red Hat public Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1312670
An upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cb3232138e37129e88240a98a1d2aba2187ff57c
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer